IP Adress Change on PIX-to-PIX VPN

Posted on 2006-05-13
Last Modified: 2013-11-16
I have an IP address that has been changed by Insight, causing the site-to-site VPN tunnel to quit functioning.  I have corrected this once, but have lost some of my notes.  I know that I issued a 'no crypto' command and a 'no isakmp' command followed by the same two commands (without the no) using the new IP address.

I remember issuing some command to show the current setup and then copying the existing crypto and isakmp commads from this output, but I can't remember the command that was issued to show this information.

Can anyone refresh my memory, or provide me with a sample set of commands for completing this task?

Question by:GeeWHIZLLC
    LVL 20

    Assisted Solution

      On the PIX whose IP has changed:
    # clear any existing VPN connections
    clear cry ips sa
    clear cry isa sa

    # remove the crypto map & disable isakmp
    no crypto map my_map interface outside
    no isakmp enable outside

    # re-apply map & re-enable isakmp
    crypto map my_map interface outside
    isakmp enable outside
       On the remote PIX:
    clear cry ips sa
    clear cry isa sa
    no crypto map my_map interface outside
    no isakmp enable outside

    # remove old isakmp peer, create new one
    no isakmp key <some_key> address <old_IP>
    isakmp key <some_key> address <new_IP>

    crypto map my_map interface outside
    isakmp enable outside

    If either PIX is running buggy 6.3(1), reboot the unit.  Now start pinging from hosts behind either of the PIXes to the other internal LAN to re-establish the tunnel.  


    Author Comment


    Those are the commands I remember.  However, I can't remember what command I used to get a list of the current maps defined on the remote pix.
    LVL 20

    Accepted Solution

     To show defined crypto maps:
    sh cry map

      To show current VPN security associations:
    ( You can add the keyword "detail" at the end of each command below for more verbose output. )
    sh cry ipsec sa
    sh cry isakmp sa

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
    From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    This video discusses moving either the default database or any database to a new volume.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now